package com.atguigu.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import java.net.PasswordAuthentication;

@Configuration
//开启SpringSecurity的默认行为
@EnableWebSecurity
public class WebSecurityConfig  extends WebSecurityConfigurerAdapter {

  /*  @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin")
                .password(new BCryptPasswordEncoder().encode("123456"))
                .roles("");
    }*/

    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            //允许iframe嵌套显示
        http.headers().frameOptions().disable();
        //登录设置
        http
                .authorizeRequests()
                .antMatchers("/static/**","/login").permitAll()
                //允许匿名用户访问的路径
                .anyRequest().authenticated()
                //其他页面全部需要验证
                .and()
                .formLogin()
                .loginPage("/login")
                //用户未登录时，访问任何需要权限的资源都跳转到该路径，即登录页面，此时登录成功后会继续跳转到第一次访问的资源页面，相当于被过滤了一下
                .defaultSuccessUrl("/")
                //登录认证成功后默认跳转的路径,意思是admin登录后也跳转到/user
                .and()
                .logout()
                .logoutUrl("/logout")
                //退出登录的路径，指定springsecurity拦截的注销url,退出功能是security提供的
                .logoutSuccessUrl("/login")
                //用户退出后要被重定向的url
                .and()
                .csrf()
                .disable(); //关闭跨域请求伪造功能

    }
}
